Re: hosts.allow - words of wisdom?
Alexander Kushnirenko <kushnir@pccmu1.fnal.gov> writes:
[snip]
> 1. Does it have some striking errors? I bet I forgot some service...
I prefer to put the denies in /etc/hosts.allow as well; something
like:
ALL : ALL : DENY
at the end, to catch anything not explicitly allowed.
I also prefer to use IP addresses instead of names, in case of spoofed
DNS names and DNS servers being down, so, for example, I have a line:
ALL : 127.0.0.1 192.168.117. : ALLOW
> 2. We run xntp3 to set time, but we don't want to be an NTP server. Do one
> need to allow some ntp service (NTP protocol is quite sophisticated :(
The xntp3 access control configuration is documented in
/usr/doc/xntp3/html/accopt.html in the xntp3-doc package.
I'm actually using the IP firewall code in Linux 2.2.0-pre5 to provide
most of the protection to my system. My ipchains rules are as follows
(actually saved in /etc/ipchains.save and read by ipchains-restore in
/etc/init.d/network).
-----
# Don't accept any incoming packets not explicitly permitted.
ipchains -P input DENY
# Log any attempts at forwarding.
ipchains -P forward DENY
ipchains -A forward -j DENY -l
# Doesn't matter who we talk _to_.
ipchains -P output ALLOW
# Keep input rules separate for tidiness.
ipchains -N inet_in
# Accept anything on loopback interfaces.
ipchains -A input -i lo -j ACCEPT
ipchains -A input -i dummy0 -j ACCEPT
# Check input traffic on PPP links.
ipchains -A input -i ppp+ -j inet_in
# Accept and log ident lookup connections.
ipchains -A inet_in -d 0.0.0.0/0 133:113 -p TCP -j ACCEPT -l -y
# Only accept other TCP connections on ports FTP uses (and _not_ X).
ipchains -A inet_in -d 0.0.0.0/0 ! 1024:4999 -p TCP -j REJECT -l -y
# Accept NTP traffic with truechimer.waikato.ac.nz.
ipchains -A inet_in -s 130.217.76.16 123 -d 0.0.0.0/0 123 -p UDP -j ACCEPT
# Only accept other UDP traffic on non-privileged ports.
ipchains -A inet_in -d 0.0.0.0/0 0:1023 -p UDP -j REJECT -l
# Accept other traffic (including ICMP and existing TCP connections).
ipchains -A inet_in -j ACCEPT
-----
--
Carey Evans http://home.clear.net.nz/pages/c.evans/
Larry froze. Was the bag a trap?
He could see the way in, but the other end appeared to be sealed.
Reply to: